Disable ssh-agent from gnome-keyring on Gnome

crazyminecuber · May 14, 2023, 8:46pm

I run the gnome desktop environment, so gnome-keyring is enabled by default. I do not want gnome-keyring to remember the passwords to my ssh-keys. Or at least I do not want it to remember the passwords forever, maybe set a timeout for 5 minutes or something. I searched through the NixOS options, but did not see anything obvious to accomplish this. The only thing I found was enable option, but when I disabled this it conflicts with enabling the gnome desktop environment. I also looked through the home-manager option, where I removed ssh from the following option, but this does not seem to have changed the behavior.

  services.gnome-keyring.components =["pkcs11" "secrets"];

Maybe it’s due to gnome desktop environment starting systemd system level unit, whereas home-manager start systemd user level unit?

jtojnar · May 14, 2023, 10:46pm

The home-manager module creates a new systemd user service that starts the requested components but you need to enable it with services.gnome-keyring.enable = true in your home-manager configuration.

But since the GNOME NixOS module enables the gnome-keyring module by default, it will still start the ssh component. And because gnome-keyring currently uses XDG autostart files instead of systemd services, it is not possible to nicely disable it.

You could try force-disabling the NixOS module using services.gnome.gnome-keyring.enable = lib.mkForce false; in NixOS configuration but that will likely break something – many GNOME apps expect GNOME Keyring services to be available and the module does some things not done by home-manager. So you should probably leave the home-manager option alone, it is mainly meant for non-GNOME desktop environments.

If the recommendation on the Arch wiki is correct, you should be able to mask the autostart file, and change SSH_AUTH_SOCK environment variable, though.

Relevant issue: Allow setting `gnome-keyring` components · Issue #166887 · NixOS/nixpkgs · GitHub

adamcstephens · May 15, 2023, 2:56am

If you’re able to set SSH_AUTH_SOCK, it will always override the GKR agent. Clients use that env variable to find the agent.

obff · November 7, 2023, 3:21pm

You can disable the ssh component of the GnomeKeyring by adding an overlay for gnome.gnome-keyring that sets the configure option --disable-ssh-agent as described in [Disabling SSH agent support in GNOME Keyring] and [Overriding a package inside a scope].

final: prev: {
  gnome = prev.gnome.overrideScope' (gfinal: gprev: {
    gnome-keyring = gprev.gnome-keyring.overrideAttrs (oldAttrs: {
      configureFlags = oldAttrs.configureFlags or [ ] ++ [
        "--disable-ssh-agent"
      ];
    });
  });
};

mloeper · December 7, 2024, 10:38pm

Thanks for the solutions posted here! I had a conflict with gnome-keyring and gpg-agent both spawning an ssh-agent. I wanted to completely disable that functionality in gnome-keyring because I am not using gnome-keyring at all.

Furtunately, I found this discourse via following PR: Make gnome-keyring PAM module components configurable by avitex · Pull Request #284173 · NixOS/nixpkgs · GitHub

Here is my adjustment for the latest NixOS 24.11 Vicuña. Hope it helps someone with the same issue.

nixpkgs = {
    overlays = [
      (
        final: prev: {
          gnome-keyring = prev.gnome-keyring.overrideAttrs (oldAttrs: {
            configureFlags = (builtins.filter (flag: flag != "--enable-ssh-agent") oldAttrs.configureFlags) ++ [
              "--disable-ssh-agent"
            ];
          });
        }
      )
    ];